|
||||
|
My master nameserver runs BIND 9.9, so I can do DNSSEC easily. I’ve installed from ports, but used the REPLACE_BASE option so that it overwrites the BIND 9.8.3 install included in the base system. That way I don’t have to worry about having multiple versions of the same command on different systems. I patch this . . . → Read More: FreeBSD-update vs bind99-base Ansible is a tool for managing servers en masse, much like Puppet or CFEngine. Ansible has a shallower learning curve than either of those systems, however, and it’s idempotent. How do I know it has a shallower learning curve? Because I learned enough of it to do actual useful work in only a couple of . . . → Read More: Basic Ansible Playbooks I’m dragging my work environment from “artisan system administration” to mass-managed servers. Part of this is rationalizing, updating, and centralizing management of packet filter rules on individual hosts. Like many environments, I have a list of “management IP addresses” with unlimited access to every host. Managing this is trivial on a BSD machine, thanks to . . . → Read More: iptables and ipsets You can now get the complete DNSSEC Mastery: Securing the Domain Name System with BIND at Amazon, Barnes & Noble, Smashwords, and my personal ebookstore. It should (hopefully) trickle through to iTunes & such before long. This book was a real education to write. Hopefully it will help improve the state of DNS security across . . . → Read More: “DNSSEC Mastery” now complete, ebook version available! Anyone who has run a FreeBSD server for any length of time has seen these messages in their daily security emails. (You do read those, right?) +Limiting icmp unreach response from 296 to 200 packets/sec +Limiting icmp unreach response from 337 to 200 packets/sec +Limiting icmp unreach response from 318 to 200 packets/sec +Limiting icmp . . . → Read More: Diagnosing “+Limiting icmp unreach response from…” with tcpdump I’ve had really good luck asking random people to do work for me, so I’m going to try it again. RFC6698 defines the DANE protocol for attaching information to DNSSEC-secured DNS. Notably, you can validate SSL certificates via DNS. This is a game-changer. The key here is the TLSA DNS record. Web browsers don’t support . . . → Read More: Any Firefox add-on people out there? Last night, I finished the first draft of DNSSEC Mastery. If you’re one of my fans who wants to see the existing work, a pre-pub version is now available on LeanPub. Now I’m looking for people familiar with DNSSEC on BIND to read the book and tell me where I’ve screwed up. This book is . . . → Read More: DNSSEC Tech Reviewers Wanted By popular demand (mainly on Twitter) I’ve made the work-in-progress version of DNSSec Mastery available on LeanPub. This is an experiment. If it works well, I’ll do it again. If not… I won’t. Why would you be interested? It’s cheap. I intend to sell the finished ebook for $9.99. The work-in-progress version is $7.99. I . . . → Read More: “DNSSec Mastery” in-progress version available One of the most tedious tasks any network admin faces is replicating changes across multiple devices. I recently stood up new RADIUS servers, and needed to tell all of my routers and switches about it. Rather than logging into each router by hand and pasting in the new configuration, I decided to try RANCID‘s ability . . . → Read More: Configuration Automation with RANCID One of the problems with the Internet is that old stuff hangs around forever. Configuring DNSSec validation on BIND 9.8 and newer is a lot easier than many of the popular tutorials would lead you to suspect. It’s so simple that I wonder why it isn’t the default. options { … dnssec-enable yes; dnssec-validation auto; . . . → Read More: DNSSec and DLV on current BIND |
||||
|
Subscribe to Posts Subscribe to Comments |
||||
